Subscribe to receive notifications of new posts:

Good News: Vulnerable NTP Servers Closing Down

2014-02-23

1 min read

On Monday, February 10th, CloudFlare experienced a large DDoS attack, with nearly 400Gbps of NTP attack traffic hitting our network. We were not the only networks getting hit by massive NTP attacks. Around the same time, OVH reported a similarly sized attack. Since the attack we’ve heard from a number of other networks that have seen large NTP-based attacks over the last few weeks.

We see today lot of new DDoS attacks from Internet to our network. Type: NTP AMP Size: >350Gbps. No issue. VAC is great :) — Oles (@olesovhcom) February 12, 2014

John-Graham Cumming on our team wrote a blog post before the attack describing how such an attack is possible by using a combination of spoofed UDP packets and vulnerable NTP servers.

During the 400Gbps attack we saw 4,259 IPv4 addresses of involved vulnerable servers that were sending attack traffic to our network. These networks were not controlled by the attacker directly but instead were running network time protocol (NTP) servers that responded to commands that would create very large responses, thus acting as a good amplification vector. Specifically, all of these servers were used by attackers to reply large packets in response to the "monlist" command.

Some Good News

In the aftermath of this massive attack, we decided to publish the list of networks originating these attacks hoping to have them fix the problem. Since the blog post we’ve been monitoring the networks to see whether attention to this problem has helped close the vulnerable NTP servers. The results are encouraging:

After a week and a half, more than 75% of the vulnerable servers involved in the attack are now no longer vulnerable. While in some cases the servers might be temporarily unreachable, the trend is clear: network administrators have gotten the message and are closing vulnerable NTP servers.

The people behind the openntp.org project also have noticed a massive improvement of the situation worlwide:

NTP MONLIST Amplifiers down from 490k -> 349k in the last week. http://t.co/35vLsj3DZJ to check your network. — jared mauch (@jaredmauch) February 14, 2014

Notably, we’ve seen a huge decrease from OVH, who have taken significant measures to prevent NTP attacks coming from its large installed base of servers. This is an encouraging achievement from the community, deploying tremendous efforts to solve a real problem.

Cloudflare's connectivity cloud protects entire corporate networks, helps customers build Internet-scale applications efficiently, accelerates any website or Internet application, wards off DDoS attacks, keeps hackers at bay, and can help you on your journey to Zero Trust.

Visit 1.1.1.1 from any device to get started with our free app that makes your Internet faster and safer.

To learn more about our mission to help build a better Internet, start here. If you're looking for a new career direction, check out our open positions.
AttacksReliability

Follow on X

Jérôme Fleury|@Jerome_UZ
Cloudflare|@cloudflare

Related posts

November 20, 2024 10:00 PM

Bigger and badder: how DDoS attack sizes have evolved over the last decade

If we plot the metrics associated with large DDoS attacks observed in the last 10 years, does it show a straight, steady increase in an exponential curve that keeps becoming steeper, or is it closer to a linear growth? Our analysis found the growth is not linear but rather is exponential, with the slope varying depending on the metric (rps, pps or bps). ...

October 02, 2024 1:00 PM

How Cloudflare auto-mitigated world record 3.8 Tbps DDoS attack

Over the past couple of weeks, Cloudflare's DDoS protection systems have automatically and successfully mitigated multiple hyper-volumetric L3/4 DDoS attacks exceeding 3 billion packets per second (Bpps). Our systems also automatically mitigated multiple attacks exceeding 3 terabits per second (Tbps), with the largest ones exceeding 3.65 Tbps. The scale of these attacks is unprecedented....